“`html
A perilous malware risk has emerged targeting Windows users throughout Korea via webhard file-sharing platforms.
The Ahnlab Security Intelligence Center has recently uncovered xRAT, also known as QuasarRAT, being disseminated as counterfeit adult games to unaware users.
This remote access trojan poses a substantial security threat for Windows systems, merging advanced evasion strategies with social engineering methods that render it particularly hazardous to ordinary users.
The malware exploits webhard services, which are tremendously favored in Korea for content distribution.
Malicious actors take advantage of this platform’s availability by uploading compressed files masquerading as harmless games and adult materials.
Users are presented with what seems to be legitimate game downloads but ultimately receive harmful files concealed behind appealing file names and descriptions.
This deceptive tactic has shown significant efficacy, enabling attackers to compromise systems without arousing user suspicion during the initial download stage.
.webp)
ASEC analysts discovered that numerous similar distributions occurred via the same threat actor, indicating a coordinated effort.
Even though many posts were removed by the time of examination, investigators validated that several games contained identical malware payloads.
Infection and Persistence Mechanism
The technical composition of this assault illustrates advanced engineering. When users download the malware, they receive a ZIP file encompassing numerous components such as Game.exe, Data1.Pak, and auxiliary files.
Upon activation, Game.exe functions as a launcher rather than a genuine game application.
When users press the play button, the malware duplicates Data1.Pak to the Locales_module directory as Play.exe, while concurrently placing Data2.Pak and Data3.Pak in the Windows Explorer directory path as GoogleUpdate.exe and WinUpdate.db, respectively.
The infection sequence becomes increasingly intricate when GoogleUpdate.exe runs. It looks for WinUpdate.db in the same directory and applies AES encryption decryption to unveil the final shellcode.
.webp)
This shellcode is injected into explorer.exe, a crucial Windows process, granting the malware the ability to function with elevated privileges.
Significantly, the malware modifies the EtwEventWrite function within explorer.exe with a specific return command, effectively disabling Event Tracing for Windows logging.
This persistence method obstructs security measures and administrators from detecting malicious behavior through conventional event logs.
The final injected code constitutes the actual xRAT payload, which undertakes harmful operations, including system information gathering, keyboard surveillance, and unauthorized file transfers.
Security experts advise downloading applications solely from official sources and exercising extreme caution when visiting file-sharing websites to avert such infections.
“`